CN106656975A - Attack defense method and attack defense device - Google Patents

Attack defense method and attack defense device Download PDF

Info

Publication number
CN106656975A
CN106656975A CN201610905498.5A CN201610905498A CN106656975A CN 106656975 A CN106656975 A CN 106656975A CN 201610905498 A CN201610905498 A CN 201610905498A CN 106656975 A CN106656975 A CN 106656975A
Authority
CN
China
Prior art keywords
module
attack
message
characteristic information
defence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610905498.5A
Other languages
Chinese (zh)
Other versions
CN106656975B (en
Inventor
徐燕成
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201610905498.5A priority Critical patent/CN106656975B/en
Publication of CN106656975A publication Critical patent/CN106656975A/en
Application granted granted Critical
Publication of CN106656975B publication Critical patent/CN106656975B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The embodiment of the invention provides an attack defense method and an attack defense device. The method comprises steps: a defense packet from a first module is received, wherein the defense packet carries feature information for describing the attack; whether a second module associated with the first module is recorded in an anti-attack table entry is retrieved; and if yes, the feature information is transmitted to the second module to enable the second module to carry out defense processing on a received packet matched with the feature information according to the feature information. Thus, during the anti-attack process, through linkage defense among related modules, the defense ability of the device is greatly improved, communication among modules is reduced, the system burden is effectively lessened, and the resource utilization rate and the user experience are improved.

Description

A kind of attack defense method and device
Technical field
The present invention relates to communication technical field, more particularly to a kind of attack defense method and device.
Background technology
At present cyber-attack is increasingly frequent so that some network equipments occur in that more problem in Web vector graphic.In order to Strengthen the anti-attack ability of the network equipment, the solution that prior art is mainly taken is:In the network device, for different Attack pattern and attack meanses carry out specific aim defence.
Prior art when attack defending is carried out, due to the defence process between each defense module it is separate, therefore respectively Linkage between defense module is poor, so as to cause the wasting of resources, the even low problem of defence capability.
The content of the invention
Embodiment of the present invention technical problem to be solved is to provide a kind of attack defense method, to improve resource utilization And the attack defending ability of equipment.
In order to solve the above problems, the embodiment of the invention discloses a kind of attack defense method, including:
The defence message from the first module is received, defends to carry the characteristic information attacked for description in message;
The second module being associated with the first module whether is recorded in retrieval attack protection list item;
If so, then characteristic information is sent into the second module so that the second module according to characteristic information to receive with The message that characteristic information matches is on the defensive process.
Accordingly, the embodiment of the present invention additionally provides a kind of attack defending device, to ensure said method realization and Using device includes:
First receiver module, for receiving the defence message from the first module, carries for describing in defence message The characteristic information of attack;
Retrieval module, for retrieving attack protection list item in whether record the second module being associated with the first module;
Sending module, for if so, then characteristic information being sent into the second module, so that the second module is according to characteristic information It is on the defensive process with the message that characteristic information matches to receiving.
So, in the embodiment of the present invention, by receiving the defence message from the first module, in defence message use is carried In the characteristic information that description is attacked;The second module being associated with the first module whether is recorded in retrieval attack protection list item;If Then characteristic information to be sent into the second module so that the second module according to characteristic information to receiving and characteristic information phase The message of matching is on the defensive process.So as to during attack protection, by the linkage defense between correlation module, significantly The defence capability of equipment is improve, and reduces intermodule communication, so as to effectively alleviate system burden, improve resource Utilization rate and Consumer's Experience.
Description of the drawings
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below by institute in the description to the embodiment of the present invention The accompanying drawing that needs are used is briefly described, it should be apparent that, drawings in the following description are only some enforcements of the present invention Example, for those of ordinary skill in the art, without having to pay creative labor, can be with according to these accompanying drawings Obtain other accompanying drawings.
The step of Fig. 1 is a kind of attack defense method embodiment of present invention flow chart;
Fig. 2 is a kind of structured flowchart of attack defending device embodiment of the invention;
Fig. 3 is a kind of structured flowchart of attack defending device embodiment of the invention.
Specific embodiment
It is understandable to enable the above objects, features and advantages of the present invention to become apparent from, it is below in conjunction with the accompanying drawings and concrete real The present invention is further detailed explanation to apply mode.
At present, the quantity of network attack day by day increases with species, and in prior embodiment, the network equipment is not for of the same race The attack of class typically takes specific aim means to carry out attack defending.For example:ARP anti-fraud, ping attack protections, DHCP are anti-hungry to death Attack and ICMP protocol massages speed limits etc..In prior embodiment, by driving side and/or each module pair of platform side Different types of attack is on the defensive, so as to ensure the safety of the network equipment.
But, due to prior embodiment in each intermodule attack protection process be separate, thus occur Each intermodule linkage is poor, causes, when the attack that multiple modules are subject to identical attacker to send, to be required to enter attack message Row identification, then the process that is on the defensive, hence it is evident that increased facility load.Also, there is likely to be in prior embodiment cannot The situation that attack is accurately identified, for example:When the network equipment is subject to ICMP attack, because driving side defense module is arranged There is speed limit defense function, then driving side defense module is by message rate-limiting.When the message after speed limit reaches platform side, due to platform The threshold value that the message that side joint is received may be attacked without departing from land identification, then the related defense module of platform side will be unable to effectively knowledge Do not go out the attack, in that case, go out to attack because the defense module of platform side is unidentified, then platform can be to the attack message Processed accordingly (process herein from it is previously described defence process it is different, refer to normal condition lower platform side to message Response is processed), thus, the waste of CPU and memory source is result in, while can also affect the treatment effeciency of other messages.
For the problems referred to above, one of the core concepts of the embodiments of the present invention is to propose a kind of attack defense method and dress Put, to effectively improve the attack defending ability of resource utilization and equipment.
With reference to Fig. 1, flow chart the step of show a kind of attack defense method embodiment of the present invention specifically can include Following steps:
Step 101, receives the defence message from the first module, defends to carry the feature attacked for description in message Information.
Specifically, the attack defense method in the embodiment of the present invention is applied in the network equipment, the network equipment include but not It is limited to:The equipment such as router, switch.Driving side and/or platform side in the network equipment includes what is attacked for different type One or more defense modules.For example:ICMP modules or DHCP modules.
First module is detected to the message for receiving, in one embodiment of the invention, if the detection of the first module Under attack to itself, then the first module sends defence message to attack protection module, has notified that attack protection module itself is attacked Hit.Wherein, defend to carry the characteristic information attacked for description in message.In another embodiment of the present invention, user Can the characteristic information that description is attacked be set manually in the first module, therefore, in this embodiment, the first module is to attack protection The characteristic information attacked for description that user is arranged manually can also be carried in the defence message that module sends.The present invention's In embodiment, characteristic information is included but is not limited to:Address information (the address letter of address information and object of attack including attacker Breath), interface message under fire, attack type and ageing time.In another embodiment of the present invention, due to some moulds Block, for example:The ICMP modules of driving side, None- identified goes out the address information of attacker when under attack, is only capable of judging current Itself is under attack, therefore, can only carry for describing attack type in the defence message that the module is reported to defense module And the characteristic information of ageing time.
In an embodiment of the present invention, attack protection module is only to make those of ordinary skill in the art be better understood from this Bright, the function that the module is realized can be realized by operational blocks which partition system or software in the network equipment etc., and the present invention is not limited this.
Whether step 102, in retrieval attack protection list item the second module being associated with the first module is recorded.
Specifically, in an embodiment of the present invention, attack protection module is by institute in the locally stored attack protection list item of retrieval The content of record, determines in the network equipment with the presence or absence of the second module being associated with the first module.
Step 103, if so, then by characteristic information is sent to the second module, so that the second module is docked according to characteristic information What is received is on the defensive process with the message that characteristic information matches.
Specifically, if defense module retrieves the second module that presence is associated with the first module in the network equipment, will The characteristic information for getting is sent to the second module, so that the second module can further be defendd according to this feature information Process.
Second module receives the characteristic information that defense module is sent, and characteristic information is stored in into local defence list item In.Second module can be according to the characteristic information recorded in local defence presentation, so as to match with characteristic information to receiving Message be on the defensive process.Defence processes and the defence such as includes being identified attack message and abandons and process, and specifically defends Processing procedure can realize that the present invention is repeated no more to this by anti-attacking technology of the prior art.
In sum, technical scheme provided in an embodiment of the present invention, by receiving the defence message from the first module, prevents The characteristic information attacked for description is carried in imperial message;Whether record related to the first module in retrieval attack protection list item Second module of connection;If so, then characteristic information is sent into the second module so that the second module according to characteristic information to receiving Be on the defensive process with the message that characteristic information matches.So as to during attack protection, by between correlation module Linkage defense, is greatly improved the defence capability of equipment, and reduces intermodule communication, so as to effectively alleviate system Burden, improves resource utilization and Consumer's Experience.
In a preferred embodiment of the invention, before step 101 beginning, method also includes:Attack protection module The registration request and the association request from the second module from the first module is received, wherein, mark is carried in registration request Know the first identification information of the first module, the second identification information of the second module of mark is carried in association request, and associate Ask for indicating that the second module is associated with the first module.Then, attack protection module marks the first identification information and second In knowledge information correspondence write attack protection list item.
In a preferred embodiment of the invention, after step 101, method also includes:Attack protection module will connect The characteristic information write attack protection list item carried in the defence message for receiving.Also, in the attack protection list item, characteristic information pair Should be in the first identification information and the second identification information.
In a preferred embodiment of the invention, after step 102, method also includes:If attack protection module connects The attack releasing message from the first module is received, then deletes characteristic information corresponding with the attack in attack protection list item, and led to Know that the second module stops processing the corresponding defence of current attack.
In a preferred embodiment of the invention, after step 102, method can also include:Attack protection module By recording in the local attack protection presentation of inquiry and the corresponding ageing time of attack, after the ageing time, deleting anti- Characteristic information corresponding with the attack in list item is attacked, and notifies that the second module stops to the corresponding defence of current attack Reason.
In order to be better understood from the attack defense method of the present invention, it is described in detail with specific embodiment below.
(1) illustrated in detail by taking ICMP attack protections as an example.
ICMP attack protections have respectively corresponding module, in the present embodiment, driving side in driving side and platform side ICMP attack protection modules are referred to as ICMP1 modules, and the ICMP attack protection modules of platform side are referred to as ICMP2 modules.
When user completes in the network device ICMP attack protections with postponing, ICMP1 modules are activated with ICMP2 modules, and Registration request is sent to attack protection module.In an embodiment of the present invention, the defence mould being activated (complete attack protection setting) Block can send registration request to attack protection module.Wherein, registration request includes the identification information for identifying defense module. In the present embodiment, the first identification information is carried in the registration request that ICMP1 modules send to attack protection module, first mark Knowledge information is used to identify ICMP1 modules, so that attack protection module unique identification goes out ICMP1 modules, the first identification information includes But it is not limited to:The title and module I D of ICMP1 modules.The logon message of ICMP2 modules is similar with ICMP1 modules, herein not Repeat.Attack protection module is received after registration request, obtains identification information therein, and writes locally stored attack protection list item In.
User according to the actual requirements, expect ICMP1 modules and ICMP2 modules realize linkage defense, i.e. ICMP1 modules with ICMP2 modules strong correlation module each other, then user can in the network device specify ICMP2 modules to be associated with ICMP2 modules. ICMP2 can send association request, to be associated with ICMP1 modules according to user instruction to attack protection module.Wherein, associate Title and module I D of ICMP2 modules etc. are carried in request for identifying the identification information of ICMP2 modules.Attack protection module connects After receiving association request, the identification information of the ICMP2 modules got from association request is write into attack protection list item, and correspondence In the identification information of ICMP1 modules.
When attacker initiates ICMP attack to the network equipment, because the ICMP1 modules of driving side are bottom module, then net The ICMP1 modules of driving side have precedence over the ICMP2 modules of platform side and receive the attack message in network equipment.ICMP1 is received After ICMP attack message, will detect that currently itself is being subject to ICMP attack.Specific detection method can pass through prior art Realize, for example:The attack message for receiving exceedes threshold value etc., and the present invention is not limited this.
ICMP1 modules detected and be currently subject to after ICMP attack, because the module does not have further identification attack Function, then ICMP1 modules only speed limit process is carried out to attack message.Illustrate:When attacker A sends to the network equipment 1000 attack messages, while domestic consumer B and domestic consumer C is sending normal message, message amount difference to the network equipment For 100, then when ICMP1 modules receive 1200 messages, the quantity has exceeded threshold value.ICMP1 modules confirm currently By ICMP attack.But, due to functional specification, ICMP1 modules cannot be confirmed in 1200 messages being currently received, which Message belongs to the message of attacker's transmission, and which is the normal message that domestic consumer sends.Therefore, ICMP1 modules are only to receiving To message carry out speed limit process.In the present embodiment, so that speed limit is 200/s as an example.
ICMP1 modules send anti-after itself is detected by ICMP attack to the attack protection module in the network equipment Imperial message.Carry in defence message attack type (in the present embodiment be ICMP attack), interface message under fire, it is aging when Between (in the present embodiment be 20s) etc. for describing the characteristic information of ICMP attack.
Attack protection module is received after the defence message, obtains the characteristic information of its carrying, and is write locally stored anti- In attacking list item.Meanwhile, whether record the module being associated with ICMP1 modules in attack protection module retrieval attack protection list item. Jing is retrieved, and attack protection module determines that the module being associated with ICMP1 modules is ICMP2 modules.Attack protection module is to ICMP2 modules Notice message is sent, informing the current ICMP1 modules of ICMP2 modules just under attack, so that ICMP2 modules are to receiving Message is on the defensive process.Also, the characteristic information for being described the ICMP attack, i.e. attack type are carried in notice message, is connect The characteristic information such as message breath and ageing time.The characteristic information for receiving is write locally stored defence list item by ICMP2 modules In, for subsequently using.In other embodiments, the identification information of ICMP1 modules can also be carried in notice message, this It is bright that this is not limited.
Specifically, Jing after ICMP1 module speed limits, message is sent to the ICMP2 modules of platform side with the speed of 200/s. ICMP2 modules are opened defence and are processed after 200 messages are received, and attack recognition are carried out to 200 messages, to identify it In whether carry attacker transmission message.Illustrate:If in 200 messages, including what 100 attackers sent ICMP attack message, 100 common messages, then in the embodiment of prior art, it is assumed that the threshold value of setting is in ICMP2 modules When 110, i.e. certain message are more than 110, then start defence and process.Therefore, 100 are only included in 200 messages after speed limit Bar attack message, and in the case that the quantity of attack message is not less than the threshold value in ICMP2 modules, ICMP2 modules will not be right 200 messages carry out any defence process, but directly carry out follow-up processing procedure.
In an embodiment of the present invention, because ICMP2 modules have been received by the notice message that attack protection module sends, And record has the characteristic information related to ICMP attack in locally stored defence list item.ICMP2 modules are receiving speed limit After 200 messages afterwards, i.e., be on the defensive process to 200 messages, identifies attack message and abandons the message.Concrete defence Processing method can be realized by prior art, do not repeated herein.
ICMP2 modules are after the process that is on the defensive to the message for receiving, you can get the detailed features that description is attacked Information, for example:The characteristic informations such as the address information (IP address and MAC Address) of attacker.ICMP2 modules equally can be to attack protection Module sends defence message, carry that ICMP2 modules get in the defence message with the corresponding characteristic information of attack.
Attack protection module receives and obtains this feature information, and this feature information is write in attack protection list item, then now The characteristic information related to ICMP attack recorded in attack protection list item includes:It is the address information of attacker, attack type, aging The more specifically characteristic information such as time.
Attack protection module is retrieved again, confirms that the module being associated with ICMP2 modules is ICMP1 modules.Attack protection module ICMP1 modules are notified, and characteristic information is sent into ICMP1 modules.Detail is similar with above-mentioned steps, does not go to live in the household of one's in-laws on getting married herein State.
ICMP1 modules are received after characteristic information, and characteristic information is written in locally stored defence list item, and according to The characteristic information recorded in defence list item is on the defensive process to attack message.Specifically, ICMP1 modules can be according to defence list item In address information corresponding with characteristic information, message corresponding with the address information (as attacker send message) is lost Abandon.Because the ICMP1 modules of driving side all abandon attack message, therefore, the ICMP2 modules of platform side will not connect again Attack message is received, so as to alleviate the burden of platform side, the system burden of the network equipment is further mitigated, resource is improve Utilization rate and Consumer's Experience.
In an embodiment of the present invention, ICMP1 modules will release ICMP defence and process after all attack messages are abandoned, And send attack releasing message to attack protection module.Attack protection module releases message according to the attack for receiving, and deletes attack protection Corresponding characteristic information in list item.Meanwhile, attack protection module sends to attack to release to ICMP2 modules and notifies, to notify ICMP2 moulds Block stops current defence and processes.ICMP2 modules receive the attack and release notice, because ICMP1 modules enter attack message Row is abandoned, therefore ICMP2 modules currently do not receive any attack message, i.e. ICMP2 modules and currently do not carry out any defence process. ICMP2 modules only delete the content corresponding with ICMP attack recorded in locally stored defence list item.
In another embodiment of the present invention, if ICMP1 modules are abandoning all attack messages from attacker Afterwards, the attacker still persistently sends attack message, then ICMP1 modules will not ICMP release defence process, and be to continue with docking The attack message for receiving carries out discard processing.When attack protection module detects current ageing time (this for exceeding ICMP attack It is 20s in embodiment), then attack protection module will delete the characteristic information corresponding with ICMP attack recorded in attack protection list item, And notify that ICMP2 modules stop defence and process.Because ICMP1 modules are currently still subject to ICMP attack, therefore ICMP1 modules can be again It is new to send defence message to attack protection module, with ICMP2 modules to set up linkage defense relation again.
(2) illustrated in detail by taking AAA attack protections and PPPOE attack protections as an example.
When user completes in the network device AAA attack protections with postponing, AAA modules are activated, and send out to attack protection module Send registration request.PPPOE and AAA are set to strong correlation module, i.e. PPPOE modules by user please to the transmission association of attack protection module Ask, to be associated with AAA modules.
Attack protection module is by the AAA modules locally stored attack protection list item of write corresponding with the identification information of PPPOE modules In.
When attacker initiates AAA to the network equipment to be attacked, AAA modules detect that itself is under attack, and identify and attack The characteristic information for hitting.It is different from the ICMP1 modules in above-described embodiment, AAA modules can Direct Recognition go out the address of attacker The characteristic informations such as information, the then characteristic information that AAA gets includes:The address information of attacker, destination address information, attack class The characteristic informations such as type, interface message under fire, ageing time.
AAA to attack protection module sends defence message, and defends in message to carry features described above information.Attack protection mould Block obtains the characteristic information in defence message, and this feature information is written in attack protection list item.
Attack protection module is by retrieving attack protection list item, it is determined that the module being associated with AAA modules is IPOE modules.It is anti-to attack Hit module to IPOE modules send notice message, carry in notice message in attack protection list item record it is corresponding with IPOE attacks Characteristic information.
IPOE modules receive the notice message, obtain characteristic information therein, and write in local defence list item.With Afterwards, IPOE can identify message corresponding with the address information of the attacker in characteristic information according to the content in defence list item, The message that then IPOE modules directly can send the attacker is all abandoned.Because IPOE modules abandon the whole from attacker Message, attacker will disconnect certification and be connected with the network equipment, therefore, AAA modules will not receive again any from the attacker Message, so as to alleviate the burden of the module, further mitigate the burden of the network equipment.Detail in the present embodiment And subsequent process is similar to the above embodiments, here is omitted.
(3) in one embodiment of the invention, user, can be first when attack protection configuration is carried out to the first module It is provided for manually describing the characteristic information attacked in module, for example:User can arrange blacklist, black name in the first module Address and the other information for having attacker is can record in list.After first module is activated, sending registration to attack protection module please Ask.First module and the second module are set to strong correlation module, i.e. the first module by user please to the transmission association of attack protection module Ask, to be associated with the second module.
Attack protection module is by the first module locally stored attack protection list item of write corresponding with the identification information of the second module In.
First module to attack protection module sends defence message, and defends in message to carry the spy recorded in blacklist Reference ceases.Attack protection module obtains the characteristic information in defence message, and this feature information is written in attack protection list item.
Attack protection module is by retrieving attack protection list item, it is determined that the module being associated with the first module is the second module.It is anti- Attack module to send to the second module from the characteristic information of the first module.
Second module receives characteristic information, and by the local defence list item of characteristic information write.Subsequently, when the second module connects The message with this feature information match is received, that is, belongs to the message that the attacker in blacklist sends, then the second module can Directly such message is all abandoned.So that the second module is not used in being identified attack message, this is effectively alleviated The burden of module, further mitigates the burden of the network equipment.Detail and subsequent process in the present embodiment with it is above-mentioned Embodiment is similar to, and here is omitted.
Based on the inventive concept same with said method, the embodiment of the present invention also provides a kind of attack defending device, application In the network device.The attack defending device can be realized by software, it is also possible to by hardware or the side of software and hardware combining Formula is realized.It is the process by its routing device being located as the device on a logical meaning as a example by implemented in software Device, corresponding computer program instructions are formed in reading non-volatile storage.From for hardware view, except processor, Outside nonvolatile memory, routing device can also include other hardware, be such as responsible for the forwarding chip of process message, network and connect Mouth, internal memory etc.;For from hardware configuration, the routing device is also possible to be distributed apparatus, potentially includes multiple interface cards, with Just the extension of Message processing is carried out in hardware view
With reference to Fig. 2, a kind of structured flowchart of the embodiment of attack defending device 200 of the invention is shown, specifically can be wrapped Include such as lower module:
First receiver module 201, for receiving the defence message from the first module, carries for retouching in defence message State the characteristic information of attack.
Retrieval module 202, for retrieving attack protection list item in whether record the second module being associated with the first module.
Sending module 203, for if so, then characteristic information being sent into the second module, so that the second module is according to feature What information butt joint was received is on the defensive process with the message that characteristic information matches.
With reference to Fig. 3, in one embodiment of the invention, on the basis of Fig. 2, attack defending device 200 can also be wrapped Include:
Second receiver module 204, for receiving the registration request from the first module and the association from the second module Request, wherein, the first identification information of the first module of mark is carried in registration request, mark second is carried in association request Second identification information of module, and association request be used for indicate the second module be associated with the first module.
Writing module 205, for the first identification information and the second identification information correspondence to be write into attack protection list item.
In one embodiment of the invention, writing module 205 can be further used for for characteristic information writing attack protection List item.
With continued reference to Fig. 3, in one embodiment of the invention, attack defending device 200 also includes:
Notification module 206, if the attack for receiving from the first module releases message, in deleting attack protection list item Characteristic information, and notify the second module stop defence process.
In one embodiment of the invention, notification module 206 can be further used for through corresponding with attack old After the change time, the characteristic information in attack protection list item is deleted, and notify that the second module stops defence and processes.
In one embodiment of the invention, the characteristic information bag carried in the first message that the first receiver module is received Include at least one of:Address information, interface message, attack type, ageing time.
In sum, attack defending device provided in an embodiment of the present invention, by receiving the defence report from the first module Text, defends to carry the characteristic information attacked for description in message;Whether record and the first mould in retrieval attack protection list item The second associated module of block;If so, then characteristic information is sent into the second module, so that the second module is according to characteristic information pair What is received is on the defensive process with the message that characteristic information matches.So as to during attack protection, by correlation module Between linkage defense, the defence capability of equipment is greatly improved, and reduce intermodule communication, so as to effectively mitigate System burden, improves resource utilization and Consumer's Experience.
For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, it is related Part is illustrated referring to the part of embodiment of the method.
Each embodiment in this specification is described by the way of progressive, what each embodiment was stressed be with The difference of other embodiment, between each embodiment identical similar part mutually referring to.
Those skilled in the art are it should be appreciated that the embodiment of the embodiment of the present invention can be provided as method, device or calculate Machine program product.Therefore, the embodiment of the present invention can using complete hardware embodiment, complete software embodiment or with reference to software and The form of the embodiment of hardware aspect.And, the embodiment of the present invention can using wherein include computer at one or more can With in the computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of program code The form of the computer program of enforcement.
The embodiment of the present invention is with reference to method according to embodiments of the present invention, terminal installation (system) and computer program The flow chart and/or block diagram of product is describing.It should be understood that can be by computer program instructions flowchart and/or block diagram In each flow process and/or square frame and flow chart and/or the flow process in block diagram and/or square frame combination.These can be provided Computer program instructions are to all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing terminal dresses The processor put is producing a machine so that held by the processor of computer or other programmable data processing terminal devices Capable instruction is produced for realizing in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or multiple square frames The device of the function of specifying.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing terminal devices In the computer-readable memory for working in a specific way so that the instruction being stored in the computer-readable memory produces bag The manufacture of command device is included, the command device is realized in one side of one flow process of flow chart or multiple flow processs and/or block diagram The function of specifying in frame or multiple square frames.
These computer program instructions also can be loaded on computer or other programmable data processing terminal devices so that On computer or other programmable terminal devices perform series of operation steps to produce computer implemented process, so as to The instruction performed on computer or other programmable terminal devices is provided for realizing in one flow process of flow chart or multiple flow processs And/or specify in one square frame of block diagram or multiple square frames function the step of.
Although having been described for the preferred embodiment of the embodiment of the present invention, those skilled in the art once know base This creative concept, then can make other change and modification to these embodiments.So, claims are intended to be construed to Including preferred embodiment and fall into having altered and changing for range of embodiment of the invention.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or operation Between there is any this actual relation or order.And, term " including ", "comprising" or its any other variant meaning Covering including for nonexcludability, so that a series of process, method, article or terminal installation including key elements is not only wrapped Those key elements are included, but also including other key elements being not expressly set out, or also include for this process, method, article Or the key element that terminal installation is intrinsic.In the absence of more restrictions, by wanting that sentence "including a ..." is limited Element, it is not excluded that also there is other identical element in the process including the key element, method, article or terminal installation.
Above to a kind of attack defense method provided by the present invention and device, it is described in detail, it is used herein Specific case is set forth to the principle and embodiment of the present invention, and the explanation of above example is only intended to help and understands The method of the present invention and its core concept;Simultaneously for one of ordinary skill in the art, according to the thought of the present invention, in tool Will change in body embodiment and range of application, in sum, this specification content should not be construed as to the present invention Restriction.

Claims (12)

1. a kind of attack defense method, it is characterised in that include:
The defence message from the first module is received, the defence message carries the characteristic information attacked for description;
The second module being associated with first module whether is recorded in retrieval attack protection list item;
If so, then the characteristic information is sent into second module, so that second module is according to the characteristic information The message matched with the characteristic information to receiving is on the defensive process.
2. method according to claim 1, it is characterised in that in the step for receiving the defence message from the first module Before rapid, also include:
The registration request and the association request from the second module from the first module is received, wherein, in the registration request The first identification information for identifying first module is carried, the of mark second module is carried in the association request Two identification informations, and the association request be used for indicate that second module is associated with first module;
By first identification information and second identification information correspondence write attack protection list item.
3. method according to claim 2, it is characterised in that the step of receiving from the defence message of the first module it Afterwards, also include:
The characteristic information is write into the attack protection list item.
4. method according to claim 3, it is characterised in that described that the characteristic information is sent into second module The step of after, also include:
If receiving the attack releasing message from first module, the feature letter in the attack protection list item is deleted Breath, and notify that second module stops the defence and processes.
5. method according to claim 3, it is characterised in that described that the characteristic information is sent into second module The step of after, also include:
Through after the corresponding ageing time of the attack, the characteristic information in the attack protection list item is deleted, and led to Know that second module stops the defence and processes.
6. the method according to any one of claim 1-5, it is characterised in that the characteristic information include it is following at least it One:
Address information, interface message, attack type, ageing time.
7. a kind of attack defending device, it is characterised in that include:
First receiver module, for receiving the defence message from the first module, carries for describing in the defence message The characteristic information of attack;
Retrieval module, for retrieving attack protection list item in whether record the second module being associated with first module;
Sending module, for if so, then the characteristic information being sent into second module so that second module according to The characteristic information is on the defensive process to the message matched with the characteristic information for receiving.
8. device according to claim 7, it is characterised in that described device also includes:
Second receiver module, for receiving registration request and the association request from the second module from the first module, its In, the first identification information for identifying first module is carried in the registration request, mark is carried in the association request Know the second identification information of second module, and the association request is used to indicate second module with first mould Block is associated;
Writing module, for first identification information and second identification information correspondence to be write into the attack protection table .
9. device according to claim 8, it is characterised in that said write module is further used for the characteristic information Write the attack protection list item.
10. device according to claim 9, it is characterised in that described device also includes:
Notification module, if the attack for receiving from first module releases message, deletes the attack protection list item In the characteristic information, and notify that second module stops the defence and processes.
11. devices according to claim 9, it is characterised in that the notification module be further used for through with it is described After attacking corresponding ageing time, the characteristic information in the attack protection list item is deleted, and notify that second module is stopped The only defence is processed.
12. devices according to any one of claim 7-12, it is characterised in that the institute that first receiver module is received Stating the characteristic information carried in defence message includes at least one of:
Address information, interface message, attack type, ageing time.
CN201610905498.5A 2016-10-18 2016-10-18 Attack defense method and device Active CN106656975B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610905498.5A CN106656975B (en) 2016-10-18 2016-10-18 Attack defense method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610905498.5A CN106656975B (en) 2016-10-18 2016-10-18 Attack defense method and device

Publications (2)

Publication Number Publication Date
CN106656975A true CN106656975A (en) 2017-05-10
CN106656975B CN106656975B (en) 2020-01-24

Family

ID=58855376

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610905498.5A Active CN106656975B (en) 2016-10-18 2016-10-18 Attack defense method and device

Country Status (1)

Country Link
CN (1) CN106656975B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110191104A (en) * 2019-05-10 2019-08-30 新华三信息安全技术有限公司 A kind of method and device of security protection
CN110519265A (en) * 2019-08-27 2019-11-29 新华三信息安全技术有限公司 A kind of method and device of defensive attack
CN113225334A (en) * 2021-04-30 2021-08-06 中国工商银行股份有限公司 Terminal security management method and device, electronic equipment and storage medium
CN113746800A (en) * 2021-07-29 2021-12-03 北京七壹技术开发有限公司 Intelligent multi-platform cooperative defense method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1791021A (en) * 2005-12-21 2006-06-21 杭州华为三康技术有限公司 Intrusion detecting system and network apparatus linking system and method
CN102571786A (en) * 2011-12-30 2012-07-11 深信服网络科技(深圳)有限公司 Method for linkage defense among multiple safety modules in firewall and firewall
CN103491076A (en) * 2013-09-09 2014-01-01 杭州华三通信技术有限公司 Method and system for defending against network attacks
CN105871775A (en) * 2015-01-19 2016-08-17 中国移动通信集团公司 Security protection method and DPMA protection model

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1791021A (en) * 2005-12-21 2006-06-21 杭州华为三康技术有限公司 Intrusion detecting system and network apparatus linking system and method
CN102571786A (en) * 2011-12-30 2012-07-11 深信服网络科技(深圳)有限公司 Method for linkage defense among multiple safety modules in firewall and firewall
CN103491076A (en) * 2013-09-09 2014-01-01 杭州华三通信技术有限公司 Method and system for defending against network attacks
CN105871775A (en) * 2015-01-19 2016-08-17 中国移动通信集团公司 Security protection method and DPMA protection model

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110191104A (en) * 2019-05-10 2019-08-30 新华三信息安全技术有限公司 A kind of method and device of security protection
CN110519265A (en) * 2019-08-27 2019-11-29 新华三信息安全技术有限公司 A kind of method and device of defensive attack
CN113225334A (en) * 2021-04-30 2021-08-06 中国工商银行股份有限公司 Terminal security management method and device, electronic equipment and storage medium
CN113746800A (en) * 2021-07-29 2021-12-03 北京七壹技术开发有限公司 Intelligent multi-platform cooperative defense method and system

Also Published As

Publication number Publication date
CN106656975B (en) 2020-01-24

Similar Documents

Publication Publication Date Title
US9110703B2 (en) Virtual machine packet processing
CN105474602B (en) The method, apparatus and equipment of attack stream are identified in software defined network
CN104468624B (en) SDN controllers, routing/exchanging equipment and network defense method
CN106656975A (en) Attack defense method and attack defense device
CN103609089B (en) A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet
CN108134748B (en) Packet loss method and device based on fast forwarding table entry
CN104660565A (en) Hostile attack detection method and device
WO2020143119A1 (en) Method, device and system for defending internet of things against ddos attack, and storage medium
JPWO2005036831A1 (en) Frame relay device
CN106101011B (en) message processing method and device
CN104601568A (en) Virtual security isolation method and device
US10536480B2 (en) Method and device for simulating and detecting DDoS attacks in software defined networking
US20110026529A1 (en) Method And Apparatus For Option-based Marking Of A DHCP Packet
WO2008131658A1 (en) Method and device for dhcp snooping
CN108429731A (en) Anti-attack method, device and electronic equipment
CN108965263A (en) Network attack defence method and device
CN106911724A (en) A kind of message processing method and device
JP2022500957A (en) Packet processing
CN111049782B (en) Protection method, device, equipment and system for rebound network attack
CN111740943B (en) Anti-attack method, device, equipment and machine readable storage medium
TW201535141A (en) Network device and method for avoiding ARP attacks
CN104506559B (en) DDoS defense system and method based on Android system
US10838942B2 (en) Network control software notification and invalidation of static entries
WO2019096104A1 (en) Attack prevention
CN107690004A (en) The processing method and processing device of address analysis protocol message

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230625

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.